In February, Facebook announced it had been hacked after the company’s engineers accessed a compromised website hosted by an iOS app developer. Hackers had infected the website with mobile malware that automatically downloaded onto visitors’ machines without their knowledge. Although the Facebook machines had updated antivirus software, the attack was a zero day exploit. Thus, no antivirus software could have prevented it. Even so, the hackers were able to bypass Facebook’s security by exploiting flaws in Oracle’s Java, a programming language used to build websites. Kaspersky labs attributes approximately half of all 2011 cyberattacks to Java weaknesses.
Although Facebook did not publically name the website responsible for the attacks, many believe it was hosted by iPhoneDevSDK (Isaac 2013, Schwartz 2013, and Smith 2013). Hackers injected malicious code into the iPhoneDevSDK website after gaining access to an administrator’s account (Smith 2013). This was the first move in a broader effort to infiltrate the systems of the websites larger, more secure customers. This tactic is called a “watering hole attack,” because the hackers used a third-party website as bait to attract their intended victims. When implementing this type of attack, the hackers do not know who will become their ultimate victims; however, they choose their “watering holes” based on the websites’ vulnerabilities and known clientele. For instance, iPhoneDevSDK is a known hub for large tech companies seeking to share information about mobile app development (Isaac 2013). Apple, Microsoft, and Twitter were also victims of this attack (Schwartz 2013).
Investigators report that the hackers were an Eastern European gang hoping to steal large tech companies’ proprietary research and intellectual property (Gross 2013). Some believe that, because tech companies often share source code with their mobile app developers, the hackers hoped to gain information that would enable them to develop zero day exploits for future attacks on smartphones and tablets (Smith 2013). Whatever their goal, the hackers may have infiltrated the systems of hundreds of tech companies (Smith 2013).
Analysis
Zero day attacks are difficult to stop, since these attacks exploit unknown vulnerabilities and have no defined signature. Even so, Facebook could have done two things to mitigate against such an attack. First, Facebook should have been more cautious about using Java. While the average user could be excused from knowing about Java’s history of exploitable vulnerabilities, Facebook is a tech company that should have known better. Java was responsible for so many cyberattacks in 2011, that the U.S. Department of Homeland Security advised everyone to disable Java in January 2012. Thus, even though the hackers used a zero day Java exploit, they were exploiting software with a long-running reputation for exploitability.
Second, Facebook should be more be more cautitious when trusting vendors’ security. It is unlikely the hackers could have successfully attacked Facebook in an outright attack. The hackers knew this and resorted to a “watering hole” trap. Given that so many mobile app developers are cash-strapped (e.g. security poor) start-ups, we will likely see more attacks using this tactic. If Facebook plans to build a long-term relationship with a vendor, the companies should consider integrating their network security. This means Facebook may have to invest its own resources to extend its security perimeter to smaller partners.
If this is not an option, Facebook should consider using virtual machines or sandboxing applications whenever accessing external hosts. A sandbox isolates the application being used so that changes made by the application are not saved once the application is closed. This means that anything created or changed by the sandboxed application, including malware downloads, is discarded when the session ends. Similarly, virtual machines can be set to return to some safe restore point whenever the machine is turned off. Thus, any malware changes or downloads made to a virtual machine would be automatically discarded when the machine is turned off.
Other sources:
Isaac, M. (2013, February 19). This is the site likely responsible for the recent major tech company hacks. All Things D. Retrieved from http://allthingsd.com.
Gross, D. (2013, February 20). Report: Eastern European gang hacked Apple, Facebook, Twitter. CNN Tech. Retrieved from http://www.cnn.com
Schwartz, M. J. (2013, February 25). Microsoft hacked: joins Apple, Facebook, Twitter. Information Week Security. Retrieved from http://www.informationweek.com.
Smith, G. (2013, February 20). Hackers who attacked Twitter, Facebook, Apple may have ‘hundreds’ more victims.” Huff Post Tech. Retrieved from http://www.huffingtonpost.com.
In February, Facebook announced it had been hacked after the company’s engineers accessed a compromised website hosted by an iOS app developer. Hackers had infected the website with mobile malware that automatically downloaded onto visitors’ machines without their knowledge. Although the Facebook machines had updated antivirus software, the attack was a zero day exploit. Thus, no antivirus software could have prevented it. Even so, the hackers were able to bypass Facebook’s security by exploiting flaws in Oracle’s Java, a programming language used to build websites. Kaspersky labs attributes approximately half of all 2011 cyberattacks to Java weaknesses.
Although Facebook did not publically name the website responsible for the attacks, many believe it was hosted by iPhoneDevSDK (Isaac 2013, Schwartz 2013, and Smith 2013). Hackers injected malicious code into the iPhoneDevSDK website after gaining access to an administrator’s account (Smith 2013). This was the first move in a broader effort to infiltrate the systems of the websites larger, more secure customers. This tactic is called a “watering hole attack,” because the hackers used a third-party website as bait to attract their intended victims. When implementing this type of attack, the hackers do not know who will become their ultimate victims; however, they choose their “watering holes” based on the websites’ vulnerabilities and known clientele. For instance, iPhoneDevSDK is a known hub for large tech companies seeking to share information about mobile app development (Isaac 2013). Apple, Microsoft, and Twitter were also victims of this attack (Schwartz 2013).
Investigators report that the hackers were an Eastern European gang hoping to steal large tech companies’ proprietary research and intellectual property (Gross 2013). Some believe that, because tech companies often share source code with their mobile app developers, the hackers hoped to gain information that would enable them to develop zero day exploits for future attacks on smartphones and tablets (Smith 2013). Whatever their goal, the hackers may have infiltrated the systems of hundreds of tech companies (Smith 2013).
Analysis
Zero day attacks are difficult to stop, since these attacks exploit unknown vulnerabilities and have no defined signature. Even so, Facebook could have done two things to mitigate against such an attack. First, Facebook should have been more cautious about using Java. While the average user could be excused from knowing about Java’s history of exploitable vulnerabilities, Facebook is a tech company that should have known better. Java was responsible for so many cyberattacks in 2011, that the U.S. Department of Homeland Security advised everyone to disable Java in January 2012. Thus, even though the hackers used a zero day Java exploit, they were exploiting software with a long-running reputation for exploitability.
Second, Facebook should be more be more cautitious when trusting vendors’ security. It is unlikely the hackers could have successfully attacked Facebook in an outright attack. The hackers knew this and resorted to a “watering hole” trap. Given that so many mobile app developers are cash-strapped (e.g. security poor) start-ups, we will likely see more attacks using this tactic. If Facebook plans to build a long-term relationship with a vendor, the companies should consider integrating their network security. This means Facebook may have to invest its own resources to extend its security perimeter to smaller partners.
If this is not an option, Facebook should consider using virtual machines or sandboxing applications whenever accessing external hosts. A sandbox isolates the application being used so that changes made by the application are not saved once the application is closed. This means that anything created or changed by the sandboxed application, including malware downloads, is discarded when the session ends. Similarly, virtual machines can be set to return to some safe restore point whenever the machine is turned off. Thus, any malware changes or downloads made to a virtual machine would be automatically discarded when the machine is turned off.
Other sources:
Isaac, M. (2013, February 19). This is the site likely responsible for the recent major tech company hacks. All Things D. Retrieved from http://allthingsd.com.
Gross, D. (2013, February 20). Report: Eastern European gang hacked Apple, Facebook, Twitter. CNN Tech. Retrieved from http://www.cnn.com
Schwartz, M. J. (2013, February 25). Microsoft hacked: joins Apple, Facebook, Twitter. Information Week Security. Retrieved from http://www.informationweek.com.
Smith, G. (2013, February 20). Hackers who attacked Twitter, Facebook, Apple may have ‘hundreds’ more victims.” Huff Post Tech. Retrieved from http://www.huffingtonpost.com.